Solved: ACS 5.6 authentication problem

Colin Higgins · ‎12-30-2014

We are in the process of upgrading our ACS 4.1 to an ACS 5.6 appliance.

The appliance is installed on the network, properly licensed etc.

I joined the ACS server to the AD domain without a problem. I created some local and external (AD) users for testing.

I created a network device (catalyst switch) as a tacacs+ client, and specified single-connect.

When I SSH into the switch, I can log in using my AD username and password, but I cannot go into enable mode. It says "Error in authentication"

my aaa settings are

tacacs-server host 172.25.50.8
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key <key>

I am missing something somewhere, I just don't know where. If I try and download the ACS support bundle, it says downloading, but doesn't say where to get it (or how).

any advice would be great. I am new to this product.

mohanak · ‎12-31-2014

Refer the document : http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/migration/guide/migration_guide/Migration_support.html#pgfId-1014889

View solution in original post

Colin Higgins · ‎12-30-2014

also, my aaa settings are:

aaa new-model
aaa authentication login listsw2s group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec listsw2s group tacacs+ local

Colin Higgins · ‎12-31-2014

OK, I have an update

I found the reports in ACS, so that is not an issue. Here is what is happening

I have a Catalyst 6509 that has been added to the ACS 5.6 server as a AAA client. Key has been verified, and user accounts are fine (I have verified authentication against other network devices without a problem).

the AAA settings for the switch are

aaa new-model
aaa authentication login listsw2s group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec listsw2s group tacacs+ local

tacacs-server host 172.25.50.8
tacacs-server timeout 3
tacacs-server directed-request
tacacs-server key <key>

If I do a test aaa group tacacs <username> <password>

and enable aaa debugging on the switch, it says user authenticated. If I look in the logs on the ACS server, it verifies that the user was authenticated without a problem.

Now, if I ssh into the switch and attempt to authenticate using the same credentials, it fails.

Nothing shows up in the ACS log, and the aaa debugging indicates it is trying to use the local database and failing.

The switch seems to be "stuck" somehow, and refusing to use the tacacs server.

Has anyone seen this?

Colin Higgins · ‎12-31-2014

OK, I have the solution

the authentication list of the vty lines 04 and 5 15 didn't match. The list specified in the aaa settings did not match the one in the line (one digit off). Therefore, the switch was never looking to ACS when authenticating ssh users.

mohanak · ‎12-31-2014

Refer the document : http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/migration/guide/migration_guide/Migration_support.html#pgfId-1014889

Colin Higgins · ‎12-31-2014

OK, looks like I have everything working now. I had the wrong shell authorization specified for the group. I was authenticating, but then couldn't do anything.

But the other question is, when I download the support pack to view the logs, where does ACS send this download? It doesn't say.

Colin Higgins · ‎12-31-2014

Actually, I spoke too soon. It is working for some users and not others, even though they are set up exactly the same way. Some can authenticate and some cannot.

Where can I go to see what is failing?